checkm8 -- Bootrom Exploit
checkm8 is a hardware exploit in SecureROM (bootrom) affecting A5 through A11 chips. This is a permanent exploit – Apple cannot patch it because the bootrom is burned into silicon at manufacturing time.
Overview
| Field | Detail |
|---|---|
| CVE | CVE-2019-8900 |
| Discoverer | axi0mX |
| Disclosed | September 2019 |
| Affected | A5 (iPhone 4S) through A11 (iPhone X) |
| Type | Use-after-free in the USB DFU stack |
| Permanence | Permanent – cannot be patched |
| Used by | checkra1n, palera1n |
SecureROM (Bootrom)
Boot chain:
SecureROM (bootrom) → iBoot Stage 1 → iBoot Stage 2 → Kernel
SecureROM:
- First code executed when device powers on
- Burned into silicon at factory (read-only)
- Verifies signature of iBoot before loading
- Contains USB DFU (Device Firmware Upgrade) mode
- ~1MB code, very small attack surface
Vulnerability
USB DFU Mode
DFU mode allows restoring firmware via USB. Protocol:
1. Host sends firmware data in USB transfers
2. Device receives data into buffer
3. Device verifies and applies firmware
The Bug
USB request lifecycle in DFU:
1. Setup phase: allocate I/O request buffer
2. Data phase: receive data into buffer
3. Status phase: complete request, process data
Race condition:
1. Host starts DFU upload → device allocates buffer (IO request)
2. Host sends data → device receives into buffer
3. Host sends USB RESET during status phase
→ Device deallocates IO request buffer (free)
4. But: DMA engine still has reference to freed buffer
→ When DFU restarts: old buffer pointer reused
→ Use-After-Free!
Trigger sequence:
USB_CTRL_REQUEST → allocate buffer
USB_DATA → fill buffer with controlled data
USB_RESET → free buffer (but pointer persists)
USB_CTRL_REQUEST → reuse freed buffer → exploit!
Exploitation
1. Trigger UAF → freed buffer reallocated with attacker-controlled data
2. Overwrite USB request handler function pointer
3. Next USB operation → calls attacker's address → code execution in SecureROM context
4. SecureROM runs at highest privilege (before any software)
→ Full device control
→ Bypass Secure Boot chain
→ Load patched iBoot → patched kernel
checkra1n / palera1n
checkra1n
- Semi-tethered jailbreak using checkm8
- Supports iOS 12-14 (some support for iOS 15+)
- Requires computer connection each boot
- Patches kernel at boot time, before any software mitigations
palera1n
- Based on checkm8 + pongoOS (custom pre-boot environment)
- Supports iOS 15-17 on checkm8-vulnerable devices
- Rootless mode (iOS 15+)
- Active development community
Workflow
1. Device enters DFU mode (hardware button combo)
2. checkra1n/palera1n sends checkm8 exploit via USB
3. Code execution in SecureROM → load pongoOS
4. pongoOS patches iBoot → loads patched kernel
5. Patched kernel → jailbreak environment
6. Install Sileo/Zebra + tweaks
Why This Matters
- Unfixable: Any device with an A5-A11 chip is always jailbreakable
- Pre-boot execution: Code runs before any software – bypasses all software mitigations
- Research platform: Enables kernel debugging, custom kernelcache
- Learning tool: The best way to learn iOS internals because you have full control
Limitations
- Tethered/semi-tethered: requires a computer each boot (or after reboot)
- A5-A11 only: iPhone X is the newest affected device
- USB access required: physical access to the device is needed
- Does not apply to A12+ (Apple fixed the bootrom)